New Delhi, India, August 7, 2014: A Russian group has reportedly hacked 1.2 billion usernames and passwords, belonging to over 500 million email addresses, according to a report by Hold Security. The firm claims that the information was stolen through more than 420,000 websites, and that the perpetrators ‘didn’t just target large companies; instead they targeted every site that their victims visited.’ The list of affected websites is said to include ‘leaders in virtually all industries across the world, as well as a magnitude of small or even personal websites.’
“The extent of data compromised is the core concern following this latest data breach revelation. It will result in three main threats: first, personal and sensitive information has been put at risk and can be used by criminals, second, the lost credentials could result in identity theft, third, and potentially the most significant for businesses, attackers can impersonate legitimate users to gain access to organisational assets and confidential information. All of which are made even more severe by the fact that numerous individuals often reuse their credentials across many accounts – personal and professional,” said Andrey Dulkin, senior director of cyber innovation, CyberArk.
“This report once again throws password security back into the spotlight and despite the fact that we are continually bombarded with tales of the increased cyber risks facing individuals and enterprises alike, the complacency surrounding password security remains an issue that must be addressed, rather than deemed inevitable. This is particularly important with privileged accounts, as it is to be expected that among the 1.2 billion credentials stolen, there are those that belong to administrators and other users who have high access and operational permissions in various networks. These credentials represent highly powerful and lucrative ‘keys to the kingdom’ within any network, as they will provide unrestricted access to an organisation’s most valuable assets; making them sitting ducks if left unguarded.
“Data breach incidents will no doubt continue to occur and their potentially severe consequences will only be mitigated by organisations tackling password security head-on. This can be achieved by identifying all privileged users and accounts, while managing and monitoring access and activity. Organisations should ask themselves: would they be able to detect impersonation and malicious activity in their networks, and intervene in time to prevent damage being done to their business? After all, it only takes one privileged credential to fall into the wrong hands to open up a huge data breach. For organisations, focusing on automated password management and ensuring strong passwords for sensitive assets is essential. For individuals, employing personal password managers and employing two-factor authentication whenever possible should be part of their normal thinking.”